Mercurial > p > roundup > code
comparison doc/customizing.txt @ 4880:ca692423e401
Different approach to fix XSS in issue2550817
Encapsulate the error/ok message append method as add_ok_message and
add_error_message. The new approach escapes the messages when appending
-- at a point in the code where we still know where the message comes
from. Escaping is the default but can bei turned off. This also fixes
issue2550836 where certain messages may contain links.
Another advantage of the new fix is that users don't need to change
installed trackers and are secure by default.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 31 Mar 2014 18:19:23 +0200 |
| parents | 07014a4b8a49 |
| children | b07014d6a7aa |
comparison
equal
deleted
inserted
replaced
| 4879:302c967d710c | 4880:ca692423e401 |
|---|---|
| 2956 See the docstring of that class for details of what it can do. | 2956 See the docstring of that class for details of what it can do. |
| 2957 | 2957 |
| 2958 The method will typically check the ``self.form`` variable's contents. | 2958 The method will typically check the ``self.form`` variable's contents. |
| 2959 It may then: | 2959 It may then: |
| 2960 | 2960 |
| 2961 - add information to ``self.client.ok_message`` or ``self.client.error_message`` | 2961 - add information to ``self.client._ok_message`` |
| 2962 or ``self.client._error_message`` (by using ``self.client.add_ok_message`` | |
| 2963 or ``self.client.add_error_message``, respectively) | |
| 2962 - change the ``self.client.template`` variable to alter what the user will see | 2964 - change the ``self.client.template`` variable to alter what the user will see |
| 2963 next | 2965 next |
| 2964 - raise Unauthorised, SendStaticFile, SendFile, NotFound or Redirect | 2966 - raise Unauthorised, SendStaticFile, SendFile, NotFound or Redirect |
| 2965 exceptions (import them from roundup.cgi.exceptions) | 2967 exceptions (import them from roundup.cgi.exceptions) |
| 2966 | 2968 |
| 4991 ''' Verify that the user has selected a category, and then move | 4993 ''' Verify that the user has selected a category, and then move |
| 4992 on to page 2. | 4994 on to page 2. |
| 4993 ''' | 4995 ''' |
| 4994 category = self.form['category'].value | 4996 category = self.form['category'].value |
| 4995 if category == '-1': | 4997 if category == '-1': |
| 4996 self.client.error_message.append('You must select a category of report') | 4998 self.client.add_error_message('You must select a category of report') |
| 4997 return | 4999 return |
| 4998 # everything's ok, move on to the next page | 5000 # everything's ok, move on to the next page |
| 4999 self.client.template = 'add_page2' | 5001 self.client.template = 'add_page2' |
| 5000 | 5002 |
| 5001 def init(instance): | 5003 def init(instance): |